Configure Pass-through Authentication for Citrix XenApp 6.5


This is the seventh post in the Installing and Configuring Citrix XenApp 6.5 Series:

  1. Install and Configure Citrix XenApp Licensing
  2. Install and Configure Citrix XenApp 6.5
  3. Configure Web Interface for Citrix XenApp 6.5
  4. Publishing Applications with Citrix XenApp 6.5
  5. Install and Configure Profile Management for Citrix XenApp 6.5
  6. Add Servers to a XenApp 6.5 Farm
  7. Configure Pass-through Authentication for Citrix XenApp 6.5 (this post)
  8. Install and Configure Citrix Secure Gateway


This post contains the following sections:

Prerequisites to enable Pass-through Authentication for Citrix XenApp 6.5

Make sure you follow these steps first to ensure Pass-through Authentication works first time.

Add the Web/Services site(s) to the Intranet or Trusted Sites Zone in Internet Explorer

  1. Open Internet Explorer (the only supported browser) and navigate to the Citrix Web Interface site (eg. http://ctxxa01/Citrix/XenApp).
  2. Open Internet Options > Security tab.
  3. If it’s already on Local intranet, you don’t need to make any changes:
  4. This is because by default, the Local intranet zone has Automatic logon enabled in the Custom level settings:
  5. If the site is not in the Local intranet zone, you can add it by clicking Sites, then Advanced:
  6. Enter the site URL, then click Add:

Enable Windows Authentication for IIS

  1.  Make sure the Windows Authentication Role Service is installed on the Web Interface server (CTXXA01 in our case):
  2. Within IIS Manager, select your XenApp Web Site (our’s is Default Web Site > Citrix > XenApp), then click Authentication in the IIS Section:
  3. Make sure Windows Authentication is Enabled (if not, right-click > Enable):

Use Citrix Receiver Enterprise

For Pass-through authentication to work, your client PCs need to have the SSON process running (ssonsvr.exe):

Citrix Receiver Enterprise enables this be default, so it’s easier just to use that.

You can also use the standard Citrix Receiver, but you will need to install it with the following switch:

CitrixReceiver.exe /includeSSON ENABLE_SSON=Yes

Enable Pass-through Authentication via Group Policy

  1. Open the Group Policy Management console.
  2. Create a new Group Policy Object (GPO), or edit an existing one:
  3. Right-click the GPO and select Edit.
  4. Expand Computer Configuration > Policies.
  5. Right-click Administrative Templates, then select Add/Remove Templates:
  6. Navigate to the template file – C:\Program Files (x86)\Citrix\ICA Client\Configuration\icaclient.adm (this will only be there if Citrix Receiver is installed)
  7. Once added, click Close:
  8. Expand Administrative Templates > Classic Administrative Templates > Citrix Components > Citrix Receiver > User authentication:
  9. Open Local user name and password setting, and select Enabled:
  10. Click OK to close the settings window, then close the Group Policy Management Editor.

Enable Pass-through Authentication for XenApp Web Sites

  1. Open the Citrix Web Interface Management console.
  2. Highlight your XenApp Web Site under XenApp Sites, then click Authentication Methods:
  3. Tick the Pass-through tickbox:
  4. To use Kerberos Authentication, click Properties.
  5. Navigate to Pass-Through > Kerberos Authentication, then tick Use Kerberos Authentication to connect to servers:
  6. Click OK twice to close the windows.

Enable Pass-through Authentication for XenApp Services Sites

  1. Open the Citrix Web Interface Management console.
  2. Highlight your XenApp Services Site under XenApp Services Sites, then click Authentication Methods:
  3. Tick the Pass-through tickbox, then click Set as Default:
  4. To use Kerberos Authentication, click Properties.
  5. Navigate to General > Kerberos Authentication, then tick Use Kerberos only:
  6. Click OK twice to close the windows.

Testing Pass-through Authentication for Citrix XenApp 6.5

XenApp Web Sites

  1. For XenApp Web Sites, simply open Internet Explorer and enter the URL (eg. http://ctxxa01/Citrix/XenApp).
  2. If you’re applications are displayed without logging in, it’s working:

XenApp Services Sites

  1. From a computer with Citrix Receiver installed, right-click the Receiver icon in the Notification Area, then select Preferences:
  2. In the Plug-in status section, right-click the Online Plug-in and select Options:
  3. Make sure Pass-through authentication is selected for the Logon Mode:
  4. If you can open published applications using shortcuts on the desktop or Start Menu, without having to enter credentials, pass-through authentication is working.

Cross Domain, Cross Forest Authentication for Citrix XenApp 6.5

I wanted to test out Multi-Site, Cross Domain and Cross Forest Authentication for a customer, so I rebuilt the lab from scratch using Server 2008 R2 as before, but this time added Win7 Client PCs for completeness:

I set up the following Domain Structure:

  • Forest 1:
    • Root Domain: vilab.local (two sites: Bristol and London)
      • Sub Domain: uk (uk.vilab.local – One Site: Cardiff)
  • Forest 2
    • Root Domain: dom.local

A Two-way Transitive Forest Trust was created between the Forests:

I had a few issues to begin with, but once I checked all the prereqs including:

  • Add the Web/Services site(s) to the Intranet or Trusted Sites Zone in Internet Explorer
  • Enable Pass-through Authentication via Group Policy (using icaclient.adm)

everything worked perfectly.

In Web Interface, I didn’t have any restrictions on the Domains that could authenticate:



However, if Pass-through Authentication fails, it’s nice to have the Domains available in a drop-down menu.

To do this, navigate to Explicit > Authentication Type > Settings:

Add your Domains here:

During troubleshooting, I read that I would have to enable Allow Cross-Forest User Policy and Roaming User Profiles via GPO under Computer Configuration > Policies > Administrative Templates > System > Group Policy:

However, since I got things working, I removed this setting, and everything still works fine.

Almost forgot, one annoying thing I found was I couldn’t add User Groups from the Sub Domain (uk.vilab.local) or second Forest (dom.local), to a Published Application’s configured users area:

Every time I tried, I would get this error:

Some users or groups cannot log on to all servers configured for this application. Invalid users will be removed from the configured user list.

The solution was to rebuild the local host cache on every XenApp server, by running the following commands at a command prompt:

  1. net stop imaservice
  2. dsmaint recreatelhc
  3. net start imaservice

Once I did the above steps on both XenApp servers, I was able to add the User Groups from each domain and Pass-through Authentication worked, with applications opening without issue.
Job done!



  1. Well done, Adam. It`s a great how-to!


  2. tinyang says

    Hi Adam, great tutorial. I was just wondering which version of the receiver you are using, I don’t have a preferences option in the right-click menu for my receiver. Thanks.